Hello
Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.
Details
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.kb.cert.org/vuls/id/720951
https://www.openssl.org/news/secadv_20140407.txt
Stefan
Message was edited by: sthe on 4/8/14 10:41:49 AM CEST
Message was edited by: sthe on 4/8/14 10:42:27 AM CESTSolved! Go to Solution.
Hello
Now this is the definitive answer:
Security Bulletin
https://kc.mcafee.com/corporate/index?page=content&id=SB10071
"What to do after upgrading Web Gateway to combat Heartbleed"
https://kc.mcafee.com/corporate/index?page=content&id=KB81669
Well a lot of work to do...
Hello,
it is possible that MWG is vulnerable, but investigations are currently on-going. There should be an official announcement later. If you need some official information immediately I recommend to file a service request with technical support.
Best,
Andre
Hello Andre
Thank you for your fast reply. I would appreciate any further details as soon as they are available.
If MWG is vulnerable there are some more questions to come...
Thanks
Stefan
Hello,
further details are available. Since this is security related we would like to prevent discussing details on a public space. Please file a service request with technical support, they will provide you with the latest available information. I have talked to them and they are awaiting you 🙂
Best,
Andre
Hello Andre
SR is filed
I am not going to post details about the answer I get. I keep it confidential.
Can you update the post when official information is available?
I think other people are also interested.
Best
Stefan
Thank you,
I talked to the support manager and there will be an official response in form of a SNS (support notification service). I encourage every customer to subscribe, as important official information is provided through this channel. You can find more details on
https://kc.mcafee.com/corporate/index?page=content&id=KB67828
Please look out for the SNS which will contain all necessary information. I am not allowed to give any kind of official response, so please follow the notification. In case questions remain I still recommend to file an SR with support to have some official response and updates.
Besides that certainly I am happy to help 🙂
Best,
Andre
We're still waiting for an SNS. How hard is it to test the products and let customers know which components are vulnerable so they can make appropriate risk decisions? By all means, let all your customers test individually, customer's time has no value right?
I had to create an account just to throw this out there. This product IS vulnerable. I have tested with a copy of a tool internally and externally against this product. It IS vulnerable and it took me less than 10 minutes to prove that. Let's get some action here McAfee... some of us have certs that we would rather not have to re-issue, and replace on hundreds or thousands of devices.
What aspect of MWG is vulnerable? I ran exploit against the management console and it wasn't vulnerable. Do you mean the proxy's SSL interception function is vulnerable?
I did the same. The response I got was "Server returned error, likely not vulnerable"
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA